Differential fault analysis of AES: Toward reducing number of faults

Advanced Encryption Standard (AES) is a standardized symmetric-key encryption algorithm used worldwide. Due to its popularity, there have been many attacks to break it. Among them differential fault analysis (DFA) is a kind of physical attack that exploits the faulty ciphertexts generated by inducing faults during the encryption process. During the last decade a lot of variants of DFA of AES have been proposed. Mainly they try to reduce the number of required faults, to utilize different fault models, or to extend to AES-192 and AES-256. This article deals with all these directions together, especially giving weight to reducing the number of required faults. Many previous works show that the number of required faults is different although the same fault model is used. This comes from lack of a general method of constructing and solving differential fault equations. Therefore we first present how to generate differential fault equations systematically and reduce the number of candidates of the key with them, which leads us to find the minimum number of faults. Then we extend to multi-byte fault models and AES-192/256.